Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Zero Day in Android’s Google Admin App Can Bypass Sandbox

The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.

The vulnerability lies in the way that the Google Admin application on Android phones handles some URLs. If another application on the phone sends the Admin app a specific kind of URL an attacker can bypass the Same Origin Policy and get data from the Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,”the advisory from MWR Labs says.

An attacker can exploit this vulnerability by getting a malicious app on a victim’s phone. MWR Labs notified Google of the vulnerability in March and Google acknowledged the report right away and later said it would have a patch ready by June. But the fix was never pushed out and last week MWR Labs informed Google that it planned to release its advisory, which was published Thursday.

Google did not respond to a request for comment on this story. The vulnerability affects the current version of the app, and may affect earlier versions as well.

“The Google Admin application (com.google.android.apps.enterprise.cpanel), has an exported activity that accepts an extra string called setup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and the setup_url string set to a file url that they can write to, such as file://data/data/com.themalicious.app/worldreadablefile.html,” MWR’s advisory says.

“The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.”

MWR says that until a patch is deployed by Google, users with the Google Admin app shouldn’t install any untrusted third party apps, which is good advice for any mobile phone user.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.